Ghidra

Overview

Ghidra, an open-source software reverse engineering (SRE) framework created by the NSA research directorate, enables users to analyze compiled code on any platform, whether Linux, Windows, or macOS. This course is a starting point for developers interested in leveraging Ghidra to create patches and extend tool capabilities to meet their cybersecurity needs. You’ll begin by installing Ghidra and exploring its features, and gradually learn how to automate reverse engineering tasks using Ghidra plug-ins. You’ll then see how to set up an environment to perform malware analysis using Ghidra and use it in the headless mode. As you progress, you’ll use Ghidra scripting to automate the task of identifying vulnerabilities in executable binaries. The course also covers advanced topics such as developing Ghidra plug-ins, developing your own GUI, incorporating new process architectures if needed, and contributing to the Ghidra project.

Benefits

By the end of this Ghidra course, you’ll have developed the skills you need to harness the power of Ghidra for analyzing and avoiding potential vulnerabilities in code and networks.

Audience

  • Security champions
  • Software developers
  • Project managers

Prerequisites

  • Knowledge of Java or Python
  • Experience developing software

Lab environment

  • Local development environment
  • We can provide a cloud-based environment

Course outline

  • Getting Started with Ghidra is a journey through the history of Ghidra and an overview of the program from the user perspective.
  • Automating RE Tasks with Ghidra Scripts explains how to use Ghidra scripts to automate reverse engineering tasks and introduces script development.
  • Ghidra Debug Mode covers how to set up a Ghidra development environment, how to debug Ghidra, and all about the Ghidra debug mode vulnerability.
  • Using Ghidra Extensions provides you with background for developing Ghidra extensions and showing you how to install and use them.
  • Reversing Malware Using Ghidra demonstrates how to use Ghidra for malware analysis by reversing a real-world malware sample.
  • Scripting Malware Analysis continues the previous chapter by scripting for both languages, Java and Python, to analyze a shellcode found in the malware sample.
  • Using Ghidra Headless Analyzer explains Ghidra Headless Analyzer and applies this knowledge to a set of malware samples acquired with a script developed during the chapter.
  • Auditing Program Binaries introduces the topic of finding memory corruption vulnerabilities using Ghidra and how to exploit it.
  • Scripting Binary Audits continues the previous chapter, teaching how to automate the bug hunting process via scripting, taking advantage of the powerful PCode intermediate representation.
  • Developing Ghidra Plugins delves into Ghidra extension development by explaining that Ghidra plugin extensions are the way to get the most out of the Ghidra features implemented.
  • Incorporating New Binary Formats shows how to write Ghidra extensions to support new binary formats, taking a real-world file format as an example.
  • Analyzing Processor Modules discusses how to write Ghidra processor modules using the SLEIGH processor specification language.
  • Contributing to the Ghidra Community explains how to interact with the community using social networks, chats and how to contribute with your own development, feedback, bug reports, comments, and so on.
  • Extending Ghidra for Advanced Reverse Engineering introduces advanced reverse engineering topics and tools such as SMT solvers, Microsoft Z3, static and dynamic symbex, LLVM, and Angr, and explains how to incorporate them with Ghidra.